Zoom fixed critical Node Multimedia Routers flaw

Zoom addressed a critical security vulnerability, tracked as CVE-2026-22844, that could result in remote code execution.

Cloud-based video conferencing and online collaboration platform Zoom released security updates to address multiple vulnerabilities, including command injection, tracked as CVE-2026-22844 (CVSS score of 9.9), in Zoom Node Multimedia Routers (MMRs) that could result in remote code execution.

“A Command Injection vulnerability in Zoom Node Multimedia Routers (MMRs) before version 5.2.1716.0 may allow a meeting participant to conduct remote code execution of the MMR via network access.” reads the advisory. “Customers that are using Zoom Node Meetings Hybrid or Meeting Connector deployments are advised to have their administrators update to the latest available MMR version.”

The company’s Offensive Security team discovered the vulnerability.

The flaw impacts the following products:

• Node Meeting Connector (MC) MMR module versions prior to 5.2.1716.0
• Node Meetings Hybrid (ZMH) MMR module versions prior to 5.2.1716.0

The company is not aware of attacks in the wild exploiting this vulnerability.

In August 2025, Zoom addressed a critical security flaw, tracked as CVE-2025-49457 (CVSS score of 9.6) in Zoom Clients for Windows.

An unauthenticated user can exploit the vulnerability to conduct an escalation of privilege via network access.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2026-22844)